Zero Day PowerShell Attacks Heading Your Way

http://www.blueridgenetworks.com/securitynowblog/zero-day-powershell-attacks-advanced-persistent-threat-protection-software

Cyber criminals are undoubtedly developing and distributing malicious PowerShell based malware attacks that researchers say cannot be stopped by antivirus, HIPS, SRP, or just about any other security software product that you may have on your computer.

The obvious workaround is to remove PowerShell.exe from computers. However, this cannot be done for Windows 7 because it is embedded in the operating system.

I feel there is some mis-information here. In my security setup/approach post, I emphasise the importance of blocking already built-in scripting programs like cmd.exe and cscript.exe. For Windows 7 and in the context of Powershell, you would simply need to block "powershell.exe" and "powershell_ise.exe" as I discussed here:
http://ssj100.fullsubject.com/windows-hardening-f5/blocking-powershell-t7.htm#21

Another method of disabling Powershell is to simply rename "powershell.exe" and "powershell_ise.exe" (much like what I've personally done with renaming cmd.exe to allow Sandboxie's delete mechanism to function). In this way, you can still manually invoke Powershell as required, while any spontaneous remote execution (eg. initiated by malware) would be blocked.

Furthermore, Classical HIPS software can also be configured to block "powershell.exe" and "powershell_ise.exe" from executing. Therefore, I'm not sure what exactly Eirik Iverson (author of the article) is referring to or meaning when he writes that SRP/HIPS can't stop Powershell scripts.

that article reads like they are just trying to promote app guard.

@ssj100/Languy 99

Is that the name you use for to search?
PowerShell.exe?

If so, I also do not have it on board XpSp3.

Don't have it,never will!!

Have you guys noticed that a lot of these exploits are things you almost
have to go out of your way to be victimized by?

If people would only install less dreck,and turn off/remove ,the stuff they do not need,so much of this esoterica could be avoided,


Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor

noorismail wrote:@ssj100/Languy 99

Is that the name you use for to search?
PowerShell.exe?

If so, I also do not have it on board XpSp3.

Don't have it,never will!!

Have you guys noticed that a lot of these exploits are things you almost
have to go out of your way to be victimized by?

If people would only install less dreck,and turn off/remove ,the stuff they do not need,so much of this esoterica could be avoided,


Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor

Yes, you shouldn't have Powershell on Windows XP unless you specifically manually installed it yourself. 99.9999% of home users have absolutely no use for it, and I'm one of them (and I see you are too).

Funny you mention the "crappy horror movie" - I just watched one haha, and about to watch another!

Oh,yeah,I am addicted to them. I have to get my "C" grade horror fix on a daily basis!!
So many of the sites have been pulled down now,you have to look a bit to find one..


noor

noorismail wrote:@ssj100/Languy 99

Not to preach,but this is where I love Sandboxie/Shadow Defender.

I can install some kind of dodgy media player that I would NEVER consider having on my real system,not just because of the malware risk,but because of all the updaters,notifiers,ext they instal.
I can watch my crappy horror movie,empty the Sandbox,reboot,
and I keep dodging the bullet!!

noor

Exactly. I do the same except with VMs and SBIE.

@tnegjm
Yeah,Spot on!!
Gets the job done!!

noor

AppLocker can block PowerShell scripts.

MrBrian wrote:AppLocker can block PowerShell scripts.

Given SRP can block them (10 year old technology), it's good to see AppLocker can as well haha.

Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

I'm not familiar with PowerShell or how it receives its scripts, but if it is from within its own virtual address space like a browser receives its .js files, or word receives its Macros, then SRP wont be able to intercede.

Tranquility wrote:Have you tested to see if SRP can block PowerShell scripts? The reason I ask is I can block .js (Javascript) files in SRP file types and sure enough, if I create a .js file on my desktop and doubleclick it SRP will step in and prevent it from executing. But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

I'm not familiar with PowerShell or how it receives its scripts, but if it is from within its own virtual address space like a browser receives its .js files, or word receives its Macros, then SRP wont be able to intercede.

Good question. I wonder if AppLocker can block such scripts when launched within a browser/word etc?

By the way, I think Powershell scripts require powershell.exe or powershell_ise.exe in order to run. As I understand it, the same applies for any processes that try to run via the command prompt if cmd.exe and command.com are directly blocked from running.

Again, I would really like to get hold of some real live malware (or even a POC, since such live malware probably doesn't exist in-the-wild) that executes via java or macros (and which bypasses a tightly configured SRP). Regardless, even if such malware did bypass SRP (please PM me a sample haha), I guess that's why I run Sandboxie!

Tranquility wrote:But, SRP will not stop .js files from running in IE, or any other browser for that matter, while browsing the web.

By the way Tranquility, could you please link me to a site which executes .js files in the manner you describe? I'd like to test this for myself. I did it by trying to open/run a .js file (that was on my desktop) via IE and SRP blocked it - clearly, this wasn't what you were talking about. Cheers mate.

Perhaps you misunderstood? Almost all websites today use javascript. IE will download and run .js files included in those websites, even with .js files disallowed by SRP. It is able to do so because IE loads and runs the files within its own virtual address space. The same thing happens with Adobe software and its PDF files. Once the PDF file is opened - ergo, opened into Adobe's virtual address space - the only thing controlling whether any scripts contained within that PDF run is Adobe's settings.

I'm not familiar with PowerShell or the files it uses to know whether the same things can occur there.

Tranquility wrote:Perhaps you misunderstood? Almost all websites today use javascript. IE will download and run .js files included in those websites, even with .js files disallowed by SRP. It is able to do so because IE loads and runs the files within its own virtual address space. The same thing happens with Adobe software and its PDF files. Once the PDF file is opened - ergo, opened into Adobe's virtual address space - the only thing controlling whether any scripts contained within that PDF run is Adobe's settings.

Well, I can't find the reference right now, but I remember reading somewhere that if you specifically blocked (via SRP) a certain .DLL file, then javascript wouldn't work in web-sites too - that means SRP can block javascript right? The reason why lots of things function (like javascript) is because (like me) you've probably white-listed the entire C:\Windows folder (which I think contains the DLL's required to run javascript in web-sites etc). Once I find that reference again, I can test it out. For me, it's no concern, given I sandbox my web browsers etc. with Sandboxie, but it'd be good to know the extent of what SRP is capable of.

ssj100 wrote:

Well, I can't find the reference right now, but I remember reading somewhere that if you specifically blocked (via SRP) a certain .DLL file, then javascript wouldn't work in web-sites too

I think it's "jscript.dll".

With UAC enabled, IE operates in "Protected Mode" which acts like a sandbox.

Internet Explorer 7's "Protected Mode" feature uses UAC to run with a 'low' integrity level (a Standard user token has an integrity level of 'medium'; an elevated (Administrator) token has an integrity level of 'high'). As such, it effectively runs in a sandbox, unable to write to most of the system (apart from the Temporary Internet Files folder) without elevating via UAC. Since toolbars and ActiveX controls run within the Internet Explorer process, they will run with low privileges as well, and will be severely limited in what damage they can do to the system.

http://en.wikipedia.org/wiki/User_Account_Control#Features